@flui-cloud/cli 0.0.1 → 0.1.0

package/lib/cli/src/services/cli-clusters.service.d.ts

@@ -9,7 +9,7 @@ import { EncryptionService } from '../../../src/modules/shared/encryption/servic
 import { CliSshService } from './cli-ssh.service';
 import { CliCaService } from './cli-ca.service';
 import { ProviderFactory } from '../../../src/modules/providers/services/provider.factory';
-import { HetznerFirewallService } from '../../../src/modules/providers/services/hetzner-firewall.service';
+import { FirewallProviderFactory } from '../../../src/modules/providers/core/factories/firewall-provider.factory';
 /**
  * CLI Clusters Service
  *
@@ -26,10 +26,10 @@ export declare class CliClustersService {
     private readonly sshService;
     private readonly caService;
     private readonly providerFactory;
-    private readonly firewallService;
+    private readonly firewallFactory;
     private readonly infrastructureQueue;
     private readonly logger;
-    constructor(clusterRepository: CliClusterRepository, operationRepository: CliOperationRepository, nodeRepository: CliNodeRepository, firewallRepository: CliFirewallRepository, encryptionService: EncryptionService, sshService: CliSshService, caService: CliCaService, providerFactory: ProviderFactory, firewallService: HetznerFirewallService, infrastructureQueue: any);
+    constructor(clusterRepository: CliClusterRepository, operationRepository: CliOperationRepository, nodeRepository: CliNodeRepository, firewallRepository: CliFirewallRepository, encryptionService: EncryptionService, sshService: CliSshService, caService: CliCaService, providerFactory: ProviderFactory, firewallFactory: FirewallProviderFactory, infrastructureQueue: any);
     /**
      * Create a new cluster
      */

package/lib/cli/src/services/cli-clusters.service.js

@@ -63,7 +63,7 @@ const encryption_service_1 = require("../../../src/modules/shared/encryption/ser
 const cli_ssh_service_1 = require("./cli-ssh.service");
 const cli_ca_service_1 = require("./cli-ca.service");
 const provider_factory_1 = require("../../../src/modules/providers/services/provider.factory");
-const hetzner_firewall_service_1 = require("../../../src/modules/providers/services/hetzner-firewall.service");
+const firewall_provider_factory_1 = require("../../../src/modules/providers/core/factories/firewall-provider.factory");
 const fs = __importStar(require("node:fs"));
 const path = __importStar(require("node:path"));
 const os = __importStar(require("node:os"));
@@ -75,7 +75,7 @@ const os = __importStar(require("node:os"));
  * Integrates SSH and CA management for secure server access.
  */
 let CliClustersService = CliClustersService_1 = class CliClustersService {
-    constructor(clusterRepository, operationRepository, nodeRepository, firewallRepository, encryptionService, sshService, caService, providerFactory, firewallService, infrastructureQueue) {
+    constructor(clusterRepository, operationRepository, nodeRepository, firewallRepository, encryptionService, sshService, caService, providerFactory, firewallFactory, infrastructureQueue) {
         this.clusterRepository = clusterRepository;
         this.operationRepository = operationRepository;
         this.nodeRepository = nodeRepository;
@@ -84,7 +84,7 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
         this.sshService = sshService;
         this.caService = caService;
         this.providerFactory = providerFactory;
-        this.firewallService = firewallService;
+        this.firewallFactory = firewallFactory;
         this.infrastructureQueue = infrastructureQueue;
         this.logger = new common_1.Logger(CliClustersService_1.name);
     }
@@ -134,17 +134,17 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
         const jwtSecret = this.generateSecurePassword(64);
         const adminEmail = createClusterDto.metadata?.adminEmail || '';
         const adminPassword = this.generateSecurePassword(24);
-        // Generate Zitadel secrets (only used by OBSERVABILITY clusters)
+        // Generate Zitadel secrets (only used by control clusters)
         const zitadelMasterkey = this.generateSecurePassword(32);
         const zitadelDbAdminPassword = this.generateSecurePassword(32);
         const zitadelDbUserPassword = this.generateSecurePassword(32);
         const zitadelAdminTempPassword = this.generateSecurePassword(24);
         // Get worker count from DTO
         const workerCount = createClusterDto.workerCount;
-        // Determine cluster type from metadata (same logic as API)
+        // Determine cluster type from metadata (same logic as API; accept legacy flag)
         const metadata = createClusterDto.metadata || {};
-        const clusterType = metadata.isObservabilityCluster
-            ? cluster_entity_1.ClusterType.OBSERVABILITY
+        const clusterType = metadata.isControlCluster || metadata.isObservabilityCluster
+            ? cluster_entity_1.ClusterType.CONTROL
             : cluster_entity_1.ClusterType.WORKLOAD;
         const hostnameMode = createClusterDto.endpointHostnameMode ?? hostname_mode_enum_1.HostnameMode.IP;
         let nipHostnameToken = null;
@@ -266,7 +266,7 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
         if (!cluster) {
             throw new Error(`Cluster ${id} not found`);
         }
-        this.logger.log(`Deleting observability cluster ${id} (${cluster.name})`);
+        this.logger.log(`Deleting control cluster ${id} (${cluster.name})`);
         this.logger.log(`Cluster details: ${JSON.stringify({
             id: cluster.id,
             name: cluster.name,
@@ -367,14 +367,14 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
                     labels: s.labels?.map((l) => `${l.key}=${l.value}`),
                 })))}`);
             }
-            // Filter servers that belong to this observability cluster
+            // Filter servers that belong to this control cluster
             const orphanedServers = allServers.filter((server) => {
                 // Check if already deleted in Phase 1
                 if (deletedServerIds.has(server.provider_resource_id)) {
                     this.logger.log(`Skipping server ${server.name} - already deleted in Phase 1`);
                     return false;
                 }
-                // Check if server belongs to this observability cluster
+                // Check if server belongs to this control cluster
                 const hasObservabilityId = server.labels?.some((label) => label.key === 'flui-cluster-id' && label.value === cluster.id);
                 // Check if server is managed by flui
                 const isFluiManaged = server.labels?.some((label) => label.key === 'managed-by' && label.value === 'flui-cloud');
@@ -434,9 +434,11 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
             // PHASE 2.5: Delete cluster firewalls (GUARANTEED CLEANUP)
             this.logger.log(`Phase 2.5: Deleting cluster firewalls from ${cluster.provider}...`);
             try {
+                const providerEnum = (cluster.provider || '').toLowerCase();
+                const firewallService = this.firewallFactory.getFirewallProviderOrFail(providerEnum);
                 // STEP 1: Find ALL firewalls for this cluster
                 this.logger.log(`Searching for firewalls with label flui-cluster-id=${cluster.id}`);
-                const clusterFirewalls = await this.firewallService.listFirewalls({
+                const clusterFirewalls = await firewallService.listFirewalls({
                     clusterId: cluster.id,
                 });
                 this.logger.log(`Found ${clusterFirewalls.length} firewall(s) for cluster ${cluster.id}`);
@@ -444,13 +446,12 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
                 let allFirewalls = [...clusterFirewalls];
                 if (clusterFirewalls.length === 0) {
                     this.logger.log(`No firewalls found by label. Searching by name pattern...`);
-                    // Search for firewalls with observability pattern:
-                    // - Old pattern: flui-observability-{clusterId}
-                    // - New pattern: flui-observability-firewall-{timestamp}
-                    const allProviderFirewalls = await this.firewallService.listFirewalls({});
-                    const nameMatchedFirewalls = allProviderFirewalls.filter((fw) => fw.name === `flui-observability-${cluster.id}` ||
-                        fw.name.startsWith('flui-observability-firewall-') ||
-                        fw.name.startsWith('flui-firewall-temp-'));
+                    // Exact cluster-scoped names only — never global prefixes (would hit
+                    // another cluster's firewall).
+                    const allProviderFirewalls = await firewallService.listFirewalls({});
+                    const nameMatchedFirewalls = allProviderFirewalls.filter((fw) => fw.name === `flui-control-firewall-${cluster.id}` ||
+                        fw.name === `flui-control-${cluster.id}` ||
+                        fw.name === `flui-observability-${cluster.id}`);
                     if (nameMatchedFirewalls.length > 0) {
                         this.logger.log(`Found ${nameMatchedFirewalls.length} firewall(s) by name pattern:`);
                         nameMatchedFirewalls.forEach((fw) => {
@@ -462,26 +463,45 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
                         this.logger.log(`No firewalls found with observability name patterns`);
                     }
                 }
+                // STEP 1c: Sweep orphaned control firewalls left with a TEMPORARY name.
+                // A firewall created before a failed cluster run keeps its temp name
+                // (`flui-control-firewall` or `flui-control-firewall-<hex>`) and has no
+                // flui-cluster-id label, so neither the label query nor the scoped-name
+                // fallback above can find it. There is exactly one control cluster per
+                // environment, so any such firewall is leftover garbage from a previous
+                // attempt and is safe to remove while tearing down the control cluster.
+                // The regex only matches the temp form (8-hex suffix), never another
+                // cluster's UUID-scoped name.
+                if ((0, cluster_entity_1.isControlClusterType)(cluster.clusterType)) {
+                    const tempControlFirewall = /^flui-control-firewall(-[0-9a-f]{8})?$/;
+                    const known = new Set(allFirewalls.map((fw) => fw.id));
+                    const providerFirewalls = await firewallService.listFirewalls({});
+                    const orphans = providerFirewalls.filter((fw) => tempControlFirewall.test(fw.name) && !known.has(fw.id));
+                    if (orphans.length > 0) {
+                        this.logger.log(`Found ${orphans.length} orphaned control firewall(s) with a temporary name:`);
+                        orphans.forEach((fw) => this.logger.log(`  - ${fw.name} (${fw.id})`));
+                        allFirewalls.push(...orphans);
+                    }
+                }
                 if (allFirewalls.length === 0) {
                     this.logger.log('✓ No firewalls to delete for this cluster');
                 }
                 else {
-                    // STEP 2: Delete each firewall with retry logic for "resource_in_use" errors
+                    // STEP 2: Delete each firewall, retrying while the server still holds it
                     const deletePromises = allFirewalls.map(async (fw) => {
-                        const maxRetries = 5;
+                        const maxRetries = 6;
                         const retryDelay = 5000; // 5 seconds
                         for (let attempt = 1; attempt <= maxRetries; attempt++) {
                             try {
                                 this.logger.log(`Deleting firewall ${fw.name} (${fw.id}) - Attempt ${attempt}/${maxRetries}`);
-                                await this.firewallService.deleteFirewall(fw.id);
+                                await firewallService.deleteFirewall(fw.id);
                                 this.logger.log(`✓ Deleted firewall ${fw.name}`);
                                 return { success: true, id: fw.id, name: fw.name };
                             }
                             catch (error) {
-                                const isResourceInUse = error.message?.includes('resource_in_use') ||
-                                    error.message?.includes('still in use');
-                                if (isResourceInUse && attempt < maxRetries) {
-                                    this.logger.warn(`Firewall ${fw.name} is still in use. Waiting ${retryDelay}ms before retry ${attempt + 1}/${maxRetries}...`);
+                                // Retry on any error: the firewall frees up once the server is gone.
+                                if (attempt < maxRetries) {
+                                    this.logger.warn(`Firewall ${fw.name} not deletable yet (${error.message}); retry ${attempt + 1}/${maxRetries} in ${retryDelay}ms...`);
                                     await new Promise((resolve) => setTimeout(resolve, retryDelay));
                                     continue; // Retry
                                 }
@@ -500,7 +520,7 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
                     const failedCount = results.filter((r) => !r.success).length;
                     // STEP 3: VERIFICATION - Re-scan to ensure all deleted
                     this.logger.log('Verifying all firewalls deleted...');
-                    const remainingFirewalls = await this.firewallService.listFirewalls({
+                    const remainingFirewalls = await firewallService.listFirewalls({
                         clusterId: cluster.id,
                     });
                     if (remainingFirewalls.length > 0) {
@@ -509,7 +529,7 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
                         for (const fw of remainingFirewalls) {
                             try {
                                 this.logger.log(`RETRY: Deleting firewall ${fw.name} (${fw.id})`);
-                                await this.firewallService.deleteFirewall(fw.id);
+                                await firewallService.deleteFirewall(fw.id);
                                 this.logger.log(`✓ RETRY SUCCESS: Deleted firewall ${fw.name}`);
                             }
                             catch (error) {
@@ -517,7 +537,7 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
                             }
                         }
                         // Final verification
-                        const finalCheck = await this.firewallService.listFirewalls({
+                        const finalCheck = await firewallService.listFirewalls({
                             clusterId: cluster.id,
                         });
                         if (finalCheck.length > 0) {
@@ -559,13 +579,16 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
             if (provider.listSSHKeys && provider.deleteSSHKey) {
                 const allKeys = await provider.listSSHKeys();
                 this.logger.log(`Found ${allKeys.length} total SSH keys on provider`);
-                // Filter bootstrap keys for this observability cluster
+                // Filter bootstrap keys for this control cluster
                 const bootstrapKeys = allKeys.filter((key) => {
                     const tags = key.tags || {};
-                    const isFluiManaged = tags['managed-by'] === 'flui-cloud';
-                    const hasMatchingObsId = tags['flui-cluster-id'] === cluster.id;
-                    const isBootstrapKey = tags['flui-resource-type'] === 'ssh-key';
-                    return isFluiManaged && hasMatchingObsId && isBootstrapKey;
+                    const tagMatch = tags['managed-by'] === 'flui-cloud' &&
+                        tags['flui-cluster-id'] === cluster.id &&
+                        tags['flui-resource-type'] === 'ssh-key';
+                    // Scaleway IAM keys have no tags — match the cluster id in the name.
+                    const nameMatch = typeof key.name === 'string' &&
+                        key.name.startsWith(`flui-bootstrap-${cluster.id}`);
+                    return tagMatch || nameMatch;
                 });
                 this.logger.log(`Found ${bootstrapKeys.length} bootstrap SSH keys to clean up`);
                 // Delete bootstrap keys
@@ -758,5 +781,5 @@ exports.CliClustersService = CliClustersService = CliClustersService_1 = __decor
         cli_ssh_service_1.CliSshService,
         cli_ca_service_1.CliCaService,
         provider_factory_1.ProviderFactory,
-        hetzner_firewall_service_1.HetznerFirewallService, Object])
+        firewall_provider_factory_1.FirewallProviderFactory, Object])
 ], CliClustersService);

package/lib/cli/src/services/cli-control-cluster.service.d.ts

@@ -0,0 +1,129 @@
+import { ClusterEntity } from '../../../src/modules/infrastructure/clusters/entities/cluster.entity';
+import { CliClusterRepository } from '../lib/repositories/cli-cluster.repository';
+import { CliNodeRepository } from '../lib/repositories/cli-node.repository';
+import { CliClustersService } from './cli-clusters.service';
+import { CliOperationRepository } from '../lib/repositories/cli-operation.repository';
+import { CliSshService } from './cli-ssh.service';
+import { InfrastructureOperationEntity } from '../../../src/modules/infrastructure/servers/entities/infrastructure-operations.entity';
+/**
+ * CLI Control Cluster Service
+ *
+ * Simplified version of ObservabilityClusterService for CLI usage.
+ * Uses file-based repositories instead of TypeORM.
+ */
+export declare class CliControlClusterService {
+    private readonly clusterRepository;
+    private readonly nodeRepository;
+    private readonly clustersService;
+    private readonly operationRepository;
+    private readonly sshService;
+    private readonly logger;
+    constructor(clusterRepository: CliClusterRepository, nodeRepository: CliNodeRepository, clustersService: CliClustersService, operationRepository: CliOperationRepository, sshService: CliSshService);
+    /**
+     * Get the control cluster
+     */
+    getControlCluster(): Promise<ClusterEntity | null>;
+    /**
+     * Check if control cluster exists
+     */
+    hasControlCluster(): Promise<boolean>;
+    /**
+     * Get observability service endpoints
+     */
+    getObservabilityEndpoints(clusterId: string): Promise<{
+        prometheus?: string;
+        grafana?: string;
+        loki?: string;
+        postgres?: string;
+        redis?: string;
+        fluiApi?: string;
+        fluiWeb?: string;
+    }>;
+    /**
+     * Create control cluster
+     */
+    createControlCluster(provider: string, region: string, nodeSize: string, workerCount?: number, firewallId?: string, sourceCidrs?: string[], authMode?: string, envVnet?: {
+        vnetProviderResourceId: string;
+        vnetIpRange: string;
+        subnetProviderResourceId: string;
+        subnetIpRange: string;
+        subnetType: string;
+        networkZone: string;
+    }, adminEmail?: string, acmeStaging?: boolean, diskSizeGb?: number, options?: {
+        sharedStorageEnabled?: boolean;
+        sharedStorageVolumeSizeGb?: number;
+        useLatest?: boolean;
+    }): Promise<string>;
+    /**
+     * Deploy observability stack (Prometheus, Grafana, Loki)
+     */
+    deployObservabilityStack(clusterId: string): Promise<void>;
+    /**
+     * Delete control cluster
+     */
+    deleteControlCluster(): Promise<void>;
+    /**
+     * Get cluster operation by cluster ID
+     */
+    getClusterOperation(clusterId: string): Promise<InfrastructureOperationEntity | null>;
+    /**
+     * Wait for cluster to be ready by polling operation status
+     * @param clusterId Cluster ID to wait for
+     * @param timeoutMs Timeout in milliseconds (default: 10 minutes)
+     * @param pollIntervalMs Polling interval in milliseconds (default: 10 seconds)
+     * @returns Promise that resolves when cluster is ready
+     * @throws Error if timeout is reached or operation fails
+     */
+    waitForClusterReady(clusterId: string, timeoutMs?: number, pollIntervalMs?: number): Promise<void>;
+    /**
+     * Wait for master node IP address to become available
+     * Polls the cluster repository until masterIpAddress is populated
+     */
+    waitForMasterIp(clusterId: string, timeoutMs?: number, pollIntervalMs?: number): Promise<string>;
+    /**
+     * Wait for TCP port to become reachable on a host
+     */
+    waitForPortReady(host: string, port?: number, timeoutMs?: number, pollIntervalMs?: number): Promise<void>;
+    /**
+     * Wait for SSH to be fully ready (CA enrolled + cert auth working)
+     * Attempts an actual SSH command with retry until it succeeds.
+     * This is needed because TCP port 22 can be open before cloud-init
+     * has finished configuring the CA for certificate authentication.
+     *
+     * @param sshTestFn Function that attempts an SSH command and throws on failure
+     */
+    waitForSshAuth(sshTestFn: () => Promise<void>, timeoutMs?: number, pollIntervalMs?: number): Promise<void>;
+    /**
+     * Poll operation status in background and call onReady when COMPLETED.
+     * Returns a stop function and a done promise that resolves when the
+     * poller finishes (after onReady/onFailed callback completes or stop() is called).
+     */
+    pollOperationUntilReady(clusterId: string, onReady: () => Promise<void>, onFailed?: (error: string) => void, pollIntervalMs?: number): {
+        stop: () => void;
+        done: Promise<void>;
+    };
+    /**
+     * Check observability services health via HTTP endpoints
+     * @param masterIp Master node IP address
+     * @returns Object with service health status
+     */
+    checkObservabilityServices(masterIp: string, _nipHostnameToken?: string | null): Promise<{
+        prometheus: 'healthy' | 'unreachable';
+        grafana: 'healthy' | 'unreachable';
+        loki: 'healthy' | 'unreachable';
+        postgres: 'healthy' | 'unreachable';
+        redis: 'healthy' | 'unreachable';
+        fluiApi: 'healthy' | 'unreachable';
+        fluiWeb: 'healthy' | 'unreachable';
+    }>;
+    /**
+     * Check if a TCP port is reachable on a host
+     */
+    private checkTcpPort;
+    /**
+     * Sleep helper
+     */
+    private sleep;
+    waitForValidTls(url: string, timeoutMs?: number, intervalMs?: number, acmeStaging?: boolean): Promise<boolean>;
+    waitForOidcReady(apiBaseUrl: string, timeoutMs?: number, intervalMs?: number, acmeStaging?: boolean): Promise<boolean>;
+}